Understanding the CISO Role - Dimitrios Stergiou, Director of IT and Information Security @ Taptap Send

Understanding the CISO Role - Dimitrios Stergiou, Director of IT and Information Security @ Taptap Send

Understanding the CISO Role - Dimitrios Stergiou, Director of IT and Information Security @ Taptap Send

Sep 29, 2024

Episode Description

In this conversation, Adi interviews Jose Alvarado, the Director of Information Security at Stagg's Payment, about his journey in the field of cybersecurity. Jose shares how his interest in IT and networking led him to specialize in cybersecurity. They discuss the difference between IT and security roles, the importance of collaboration and communication in the security field, and the challenges of creating a security-focused culture within an organization. Jose also shares his experience dealing with a serious incident involving ransomware and emphasizes the need for organizations to assess and validate their security measures. The conversation with Jose focused on the challenges and priorities in cybersecurity, the importance of effective communication, the issue of burnout in the industry, and advice for those starting out in cybersecurity. Jose emphasized the need for organizations to ensure they are actually implementing the security measures they claim to have in place. He also discussed the challenge of balancing technical expertise with business understanding and the importance of concise and effective communication. Jose highlighted the issue of burnout in the tech industry and emphasized the need for leaders to be aware of their team's workload and mental well-being. He advised those starting out in cybersecurity to prioritize gaining experience and knowledge, rather than focusing on money, and to seek out opportunities that provide a wide range of experiences. Jose also discussed the evolution of cybersecurity as a separate field and the satisfaction he finds in completing projects and seeing the results of his team's efforts.

Watch On YouTube

Episode Transcript

Episode Transcript

Episode Transcript

hi everyone welcome to the handson cesa podcast my name is AD and today we'll be talking to Demetrius Stu if I said the

name correctly with over two decades insecurity and over a decade as seeso demetrius's information security

background is extremely comprehensive ranging from standards compliance technical security evaluation risk

management secureity development life cycle sex devops and social engineering

currently Demetrius is ciso of taptap sand group and today we'll hear more

about his journey and about security as a field Demetrius how you doing today

hey I'm good thank you for having me and you nailed it on the name which is really not happening that often for non-

Greek speakers but I'll give you a nine out of 10 thank you very much okay so

Demetrius you've come a long way in security can you tell me how did you get

started yeah I think I can summarize it to two key points one is I I think I was

always a nerd or a geek I don't think that term existed back in the late 80s early 90s when I was growing up but I

loved video games and I couldn't afford playing the video games where you feed in the coins So eventually I bought a

computer and I started playing at home and then I started making my own games uh so that got me into computers and

into the idea that I want to work somewhere in it whatever that meant back in the early 90s and then I thing what

got me into security is a combination of working with things like Linux and and networks and also I'm I'm not going to

hide it like I was heavily influenced by things like movies like war games and hickers back in

1995 I think that looks very interesting and very exciting thing to do so I started as a system engineer who

gradually moved into what today we would call I think it security and then gradually made it into information

security in the past 15 16 years I have been working as a seesure for number of

companies amazing and did you see a big difference between different companies

when you were in your Cesar years already was it pretty much the same way

you went or is it very com each company very different so I think there are some

similarities and some differences generally and being a bit cynical I will buet the companies into two main

categories one is the companies that hire Theo because they need to have one

they don't necessarily see the need but because some regulation or some board said okay why don't we have one of these

roles the hire SE they they don't want a lot of interruption from their seor they just want to be able to go through some

Audits and maybe have the SE talk externally and things like that and then the other bucket is the companies that

forced or not they see a need and they they see a value in having someone who runs security and then they hire you to

do exactly that um now when it comes to the day-to-day things that you do

they're pretty similar between these two buckets of companies but I think what differs is the Mandate that you have and

the level of change and influence you can exert on the organization depending on which bucket of companies hired

you interesting I would assume that the companies that value security are the ones that

are more enjoyable to work for I again syal being

cynical it's not a huge difference if you know what you're stepping into right so if you know that I'm going to step

into this company I'm going to be able to do little things and I'll try my best that that has its interest because

you're giving a very small box to play with and you need to stay within that box and but you still need to achieve some things and if you are working for

the other bucket of companies you have a much bigger box but then you have limitations like you can't have unlimited budget to touch everything in

that box and so on so they both come with challenges I think the most important thing and what I tell people

is make sure you understand what they're hiring you for if they just want to have you in the orc chart or if they want to

want you to come in and destroy everything and and then rebuild it in a better way interesting what is your dayto day

look like now uh dayto day yeah it's not very standardized so

it differs some days I have a lot of meetings when I need to talk to both internal and external stakeholders some

days are are dedicated to updating or creating new documentation needing for an information security management

system I do spend quite some time with Auditors but that's kind of seasonal so there are seasons with high level of

audits and Seasons with low level of audits uh generally talking a lot with

people any anywhere from the CEO to a developer and either Consulting them on

security terms or hearing what they want to do next and trying to figure out what's the risk there and how we could mitigate it or avoid it early

uh trying to keep up with a lot of things both in terms of what technologies we use but also what's

happening in the world so example would be we don't use Microsoft but if Microsoft is under

heavy attack that might affect our customers which might reflect on us or even if I don't use Microsoft I still

need to care that Microsoft is having an issue so that's a lot of blogs

twitters Twitter watching videos trying to keep in touch with several professionals and friends on LinkedIn

like an an assortment of things interesting how do you balance between doing work that is let's say

work work like really implementing new Solutions managing the team talking to management and learning learning about

new things happening learning about new technologies so I I I do believe in the idea of Hands-On learning so for

example if I want to consult our team on how to implement some piece of code to

not have have an SQL injection sure I can tell them go read the document but I can also try to write a small piece of

code myself and understand why was it vulnerable and why and how can we make it not being vulnerable and then I can

go to them and say hey guys look I'm not a developer but I wrote These 10 lines and this is bad this is good can you

translate that into our actual code base and avoid having this mistake and that

means that I learned something not only about the theory of what is an SQL injection but also what it's

pragmatically uh how he pragmatically implemented or not implemented but also the developers hopefully look at me and

go like okay he's not just giving us a standard or a piece of paper to work at he's willing to work with

us interesting do you ever feel like a bad cop like is there ever the I have to

say no oh I I say no all the time but nobody cares

um so let me explain this say that I I I'll tell you what I mean again I that's

one of the things that I try to clarify before I join any company and I I'm explaining that there's two operational

models one is I'm fully responsible for security which means that I can say yes or no but that also means that I have

the budget and I can override other people in the company and then sorry very rarely any company will

allow me to do that then the other model which is very common is something of a

trusted advisor so someone will say oh we need to do this new thing so I will look at this new thing and say I see

these five risks uh ideally if we don't do this we don't have to care about these five risks if we do want to do

this here is what we need to do to mitigate these five risks or eliminate them and then I submit that to the

business owner which usually will be someone like a CO or a CEO and then they can make an educated decision and if

they tell me we need to mitigate then I will work on my proposals to mitigate and if they say you know what it doesn't

worth it we're going to take the risk and if it blows it blows that's fine we document that and we do that so um

that's why I say I say no but at the end of the day not a lot of things are my decision because security is there to

support the business and enable the business and if the business is willing to take a risk after they understand the

implications then who am I to say no to that interesting so you're saying at the

end of the day I don't make the decision I let them know what the cont consequences might be what the risk is

and then they decide what actually happens yeah the typical example I give is like imagine you are smoking and you

go to the doctor right and the doctor says you know what that's not good for you you need to stop smoking and then

it's up to you right you know the consequences the doctor will not come to your house and take your cigarettes away

um if you want to listen to the doctor that's great you're going to benefit the doctor is going to happy is going to be happy because you live longer you go

like yeah you know what smoking is cool I don't care about the risk then that's on you like what do we want the doctor

to do more interesting have you ever been part of a company that had a serious breach

or a security incident of course no names or anything like that but have you had to deal with that uh kind of so I

joined the company like one week after they had the big

incident so although I wasn't present for the incident itself I had to deal with the aftermath and and the aftermath

included both the technical side of how do we make sure that this never happens again and where did we fail when this

happen but also communication because it happened in a company where our target

audience and the people who were affected are extremely technical geeky people so they had a lot of questions

it's it's not like they understand the internet they understand what the bridge is they understand they wanted to know

how that happened so there was a lot of stakeholder management both internally but also externally plus the technical

work that we needed to do to never have it happen again how do you deal with that kind of

situation so generally my Approach is being as honest as possible assuming

that the lawyers approve right because uh from a technical perspective it's quite easy to explain what happened so

we forgot to do X that means that an attacker found X and they exploited it

and they stole 10 records or whatever it's it's very easy to say say that now the question is what are the legal

implications of you saying that and that needs to be cleared by legal and and PR people and that type of thing but after

they gave me some kind of guidelines of what I can say can not say then I try to be as honest as possible and explain to

the users look we're all on the internet uh we most of us grew up on the Internet we know that bad things happen we

apologize we're going to be better by doing XYZ sorry for the inconvenience and in the first two months people were

really pissed and we saw our uh subscription base going down but then after two months they kind of realized

that we we were being honest about it and uh we hit the previous level and continued growing so although it was

very uncomfortable it didn't like really affect the company in terms of the company having to shut down because of

that one incident cool do you think it's common

for companies to think they're more secure than they actually are I think it's difficult to measure it

in a reliable way so generally you have a feeling right so the feeling can be I

have X number of monitoring tools that show everything green I look around and

I see people following the processes now are the processes secure hopefully some external auditor will weigh in on that I

feel it's very very difficult to measure like you can identify gaps and say oh we don't have a process for x or for why

but if you have the process I don't know how you say that makes me 80% secure 90%

secure interesting so you're saying it's more of a 90 or 10 I'm saying it's more of a feeling

like there is some objectivity in theory so if if you go for some kind of certification like ISO 2701 or so two or

these type of things or PCI hopefully they they do enough checking to say that you have if whatever is needed in order

but I don't think that if you look at two companies that went through PCI a they will be doing exactly the same

thing so there is some subjectivity from the auditor side there so that means like on paper these companies are

equally good but realistically one company may be doing 10 more things and therefore hopefully they're better but

this is not depicted anywhere and very difficult to see got it is there any significant

difference between working in a fintech company like you do now and working in a company that's

more maybe like regular Tech where the where data Beach isn't as big of a

deal I think one uh one key difference or key difference one big difference is

for sure the fact that finex are way more regulated is my feeling compared to

previous companies that means that if you look past the typical infos

standards like ISO PCI so whatever then you will find that your business is regulated by some sort of a e original

or like Grand regulator like an EU entity which means you have to care

about way more things than a company that maybe isn't so much regulated uh if you go past that I don't

think it's a huge difference so at the end of the day each company uses data to to do whatever they do and

in our case it's financial information and if you work for a health startup or a health company it's medical records

and if you work for someone else it's probably customer information but

like data is data and we need to protect this data I don't think like the form of the data makes a huge difference what it

makes a difference is how many external authorities are interested in how you're doing

that interesting do you feel like the stress of being well actually I'll phrase that

differently as a ceso it sounds like you're always very on like you're very

ready for anything to happen do you see a lot of people dealing with stress

stress in healthy ways in the field or is it something that Les talked about do

you even experience it I think I think there is a level of stress I the way I

try to approach it is with my favorite expression which is it is what it is so

whatever happens either I have control over it and I can do something about it which means there's no reason to stress

or I don't have control over it which means stressing doesn't help so

give you an example uh if I use GitHub to store my source code and GitHub dies

for three hours it's not great but what can I do like I'm sure the GitHub Engineers are working on it to get it

back uh on the other hand if I realize that I have really crappy permissions on

GitHub I can fix it so again no stress uh so I think again it's about um

expectation management so like what is expected of a season what do you think your role is uh obviously nobody wants

to sit in a company where your main partner is down and every nothing is

working but then if you have identified that this is a risk if the management told you we're not going to buy a second

GitHub like we're not going to get gitlab as well as a backup then you've done your job you identify the risk the

company accepted it you will assist GitHub if they ask you but why would

they ask you and that's it and then you wait for GitHub to come up

that's a very calm nice approach to it so that's interesting to hear do you H I

got a had a question as you were talking um I don't know maybe I'll come

back later what do you think right now is one of the biggest challenges in cyber

security um so I I don't think I can speak for the whole field but uh one of

the thing that kind of stresses me um is the fact that everything nowadays is

cloudbased or SAS based or whatever you want to call it so back in the day way back in the day

when people needed something we'll have to deploy a server in our data center and we knew exactly what was happening

today I'm not sure I can tell you with 100% certainty what we are doing as a

company and what I mean by that is we we offer let's say our employees do Services where they can store files and

they can exchange files but I'm quite certain a nonzero chance that some

people somewhere are using a service that they know nothing about and they have put some company documents on that service and then these people will leave

the company and these documents will never be deleted on that service uh so that's a bit scary and we we try to

manage it it's easier it's easier to be managed if the service requires some

form of payment because we can control that on the finance level but if it's a totally free service like let's say

Dropbox if someone just download the drbox and they're using it to store documents I will never know about it

that's a source of a bridge I won't even know how to respond if we are breached

by using an unauthorized service so that's the the thing that stresses me the

most interesting what do you think is something that people tend to not really

understand when they're not from the security field and they make these

decisions maybe to do things that risk the company'sposition I think um I think it's twofold right one

is I'm starting from the position that people are not uh inherently malicious

so when someone does something that is not really as secure as it should be my

initial understanding and assumption is that they made it either by accident or because they didn't think that they're doing something bad so that's on on me

and and my team and the rest of the company to actually educate people and and let them know that we have some

approved tools and processes and whatever for a reason and they shouldn't sacrifice security for their

convenience uh the other thing is um especially with younger people they grew

up on the internet and they internet was a thing basically for them since forever

and although they know how to use it they don't necessarily understand how it works so it's not always evident to them

what it means to use a service to upload your data somewhere to log in somewhere

to reuse the same password for convenience to download random applications to your phone or to your

computer and whatnot again they I I recognize that it didn't have to be

there when these things were being built and we have to understand what we're building but again it's an awareness and

I don't like the word training but awareness keep telling people like yeah there is a way to do this let me help

you or ask me if you don't fully understand what's going on how do you create a culture that is

security aware in a company that like the employees know to come and ask you if anything looks weird yeah so tying

back to what you asked me about being the bad cup and saying no so I I I don't really say no I I say yes but let's XYZ

which means you want to do that cool okay yes but let's see can we do it in a

secure way do we have a way already today it works or or whatever um the second thing is I try very very hard to

avoid personal blame so someone clicks on a fcing link I will definitely not

make that public I might speak to that person and try to identify why that was the case but I try to focus more on the

problem and less on the who created the problem because that makes the person even more defensive in the long run and

the third one I think it stems from the top right so um I had experiences in the past

where we deployed a policy that said we shouldn't do X and then I had the CEO doing X and that's not great because if

people see the CEO doing X and I think that the policy doesn't apply to anybody and then I had to educate the management

team that look either we have this policy and you goly or we don't have this policy and then this is the risk

and are you happy with that uh so I think comes from the top like it's

important for the CEO to either talk about these things or bring in the security talk to the whole company company so show to the company that

security is important and that people can just brush it under the rag if they don't feel that it's convenient for

them interesting do you remember any um security mistake that you've done that

created some issue and then you had to deal with the consequences oh yeah yeah

let me know all right so that's quite early in my career and I was working as a security consultant so we were

employed by a mobile operator company think like uh orange O2 these type of

people to do an assessment of their infrastructure uh they provided us with

an IP range that we were supposed to test and they made a mistake in the range and we made a mistake by not

confirming with them the range so effectively we we were supposed to attack like let's say 250 computers and

we ended up attacking 60,000 computers and some of the devices on that Network were not really built to be

attacked so effectively we killed mobile Communications for that provider for

seven minutes for a whole country nice yeah I don't know if it's

nice it happened so what do you do after an event like that like what what's going in your mind

what do You' actually do so first of all we apologized second of all we tried to

see if we follow follow our Moto which is script am man like the the written

stuff remains so we did check all the communication and we did identify that that's what they told us of course we

should have confirmed but at the end of the day we also said like look you told us to do this we did this we screwed up

we apologize but yeah it is what it is uh so yeah we finished the assessment

they weren't extremely happy about it but on the other hand they understood that if anything happened to that

particular piece of network mobile operations will die in the country so that was a good test for them to go and

fix it uh they didn't really ask for it but they get as abonus that's nice um interesting how do you view balancing

between business on the one hand like communicating to management the

needs and actually keeping a company secure but not creating a situation where like

people can't do things all right so generally my input

is three three things right so one source of input is regulations so if we

are obliged to fulfill a standard like PCI because we we handle credit cards or because we operate in a particular

region and the regulator says you need to do X I consider these things non-negotiable and I explain to the man

that like okay if we fail on this we're not getting the license from the regulator or we are failing the PCI

accreditation so do you agree that these are non-negotiable yes great this we're doing no matter what the second source

of information is the internal risk management so after we have done all the basic stuff that PCI and anybody else

requires is all right we know our system better than anyone where do we think we might have problems and then we document

this we assess the risk and sometimes we on it and sometime we accept it and sometime we review it after a few months

to decide what we're going to do uh so that's the area where there's a bit of

negotiation with the business which is uh sure I see it as a risk but maybe you guys in sales don't see it as a risk but

like can we agree if not we're going to push it up to the co or the CEO to make

a decision and then the third source is what you would call like housekeeping or

best practices and and those are try to do as much as possible when they start

introducing a lot of hustle or a lot of cost maybe I will move them into the risk management bucket but if it's more

simple things that they wouldn't change life significantly within the company I just try to do them with some agreement

from the internal stakeholders like H guys I'm going to reorganize the access groups and you lose access for 30

minutes but after that it's going to be easier to handle access or you know things like that so yeah so So based on

these three buckets uh some some of them are kind of forced some is a negotiation

and some are not exactly optional but also you know you have to be a bit cool

about it don't go crazy got it got it and do you think there's like

um widespread agreement overall about what you said within cesos so do you think

each person has like their own way of Vie it I think it's

um I I don't think there's an agreement like uh I occasionally check LinkedIn

and I see CES a job Adge and they can range from anything to you need to have

two years of experience do you need to have 25 years of experience and uh you need to be an individual contributor

with hands on to you will manage a team of 100 people and you not touch a single

server so I think generally what the companies are looking for is someone to

assume certain responsibilities about infos or it security but I don't think

there's an agreement like if you say CFO everybody pretty much understand the same thing right but if you say ceso it

can be one individual contributor who also configures the faral themselves or

it can be someone who has 20 teams and each team has five people and each one

is really focused one team on the firewalls one team on identity management one team on incident

management and what not so I think there's a huge discrepancy of what the role means and you need to ask for more

questions basically if you want to understand what's going on interesting is that something that

happened over the past few years or was it always sort of a role where it wasn't

really defined I think it expanded more the the last few years and the reason is that

because of certain regulations and then and that kind of influence more companies were forced to have someone to

deal with security if I look 20 years back maybe even a bit more most

companies maybe have someone called Chief security officer and their job will be mostly to deal with physical

security so Corporate Offices data centers that sort of thing and the IT

security or the technical security would mostly go into some kind of a platform engineering it

Department um I think they they started to carve that out now and most companies

nowadays at least the ones I see they dropped the need for physical security because everybody moved to AWS gcp Azure

or something similar uh Corporate Offices is still a thing for some companies many others have moved to

employee collocation or even work from home so they started bringing in seizur

to work more with the information on the technical aspects of security and less with the physical aspects of security

cool how do you feel about AI I mean I don't know I don't

care really like because I see that sometimes cesos are like this is amazing this is going to

help security so much this is wow and the others are more like this is going

to make fishing so much more complicated this is going to create new kinds of

attacks and so I I will okay let me rephrase the I do not care so what

happens at the moment is every vendor Under the Sun is reaching out to me and they say our product has Ai and that

part I really do not care um so I if I'm buying a product I want it to solve a

problem and I don't really care how you do it solving the problem so you can have ai you can have one billion people

working behind the scenes you can do whatever I'm not buying because you have technology X I'm buying you because I

want to achieve something uh so from that perspective I think so far it has been very hyped

marketing wise and I I don't really subscribe to oh buy this antivirus

because it has AI okay great like does it work uh is the OB this question in

I've doubled a bit with uh CH jbt and in terms of information security so it's a

good help right so instead of Googling for things I could ask sgbt and will give me some examples so good example I

can bring up here is let's say I want to write a new policy I have an idea of how to do it but I would like some kind of a

template to bounce off so I can either Google and download 10 templates and try to synthesize them myself or I can ask

chbt and will give me some answers and then I need to adopt them to my company

so to that extent it works I think problems here will arise if you don't really know what you're doing and alib

spech two pages and you go like sure I'll just do that and then you don't have the context of what you're doing

and then the other area I played with is um co-pilot Cloe like code completion

these type of things uh for simple things that I do because I'm not a developer they seem to

work quite nice and and they do help me and I I don't fully understand how it happens but I can ask the AI questions

about why it made the decision it will give me an answer that I can understand I don't know if we're at the point where

I could trust our developers to use that code directly into production but if it helps them become better better educated

I'm all for it like I'm not going to object to an awareness tool I just told

them like do not copy paste that code into production unless you fully understand what it's

doing interesting do you manage a team currently

uh indirectly yes so I have a bunch of people that we have dubbed the security

Champions generally my preference is to not have a security team but work with

people who are either security knowledgeable or security interested and

closer to the ground uh because what I have observed in the past when having a

security team is that people generally took the approach of oh this is going to

be handled by the security department I do not need to care that much and then they throw it over the fence and

typically that doesn't work so in the past few companies I work with the idea that look I have a security champion in

the platform team so if I want to do infrastructure improvements that's my person I have a security Champion within

Finance so if I want to do anything with the way we do security in the finance system that's my person and the same

with development and people operations and whatnot so they don't really report

to me in the sense that I will do their annual review or anything like that but we do work as a team to make sure that

we achieve the goals throughout the company interesting so you prefer that that you don't have anyone that

specifically security I I prefer that for two reasons one is the reason I explained which is

if you have 100 developers and you have three for security Engineers these four security Engineers canot review and fix

code from 100 developers on a daily basis right so it's a scaling problem problem the second thing is it's it's

way more probable that people in people operations understand the HR System than

a person that I will hire in the security team so if I want to ensure that the HR System has proper

permissions working with someone from people operations even if they can't express themselves in technical terms

they can still explain to me exactly how they would like the system to be handled and I can give me and other people

documentation and we can make it happen for them uh the opposite of that will be

I assign a security engineer he has never seen the HR System before in their life like they have no understanding of

how to build permissions even if they do they don't know the use cases so it ends up like an unsuccessful

project interesting that's uh an approach I haven't heard yet but I can see how it makes sense like that you're

kind of putting their responsibility between a lot of different people have a lot of different knowledge

types yeah like a good example for this is let's say vulnerability assessment so we me and my people would provide the

tool and we will provide explanations of what the tool responds with but at the

end of the day besides what the tool says the developer will be much better

to tell me you know what yes the tool is right but this will never happen because in front of that server there's this

server that will ever allow this to happen um and because they're working with that on a daily basis they will

have a bit better understanding compared to me that has a more of a bird eye

view cool what do you think changed about cyber security over like your decade

like I I think the fact that we don't own anything so again back in the day you needed a web server you put it in

your data center you needed a source code repository you install something in your server you needed a mail server you

deploy exchange or whatever it is now everything is in the cloud everything is

interconnected you have some knowledge or degree of certainty of where your data are flowing

but it's not very easy to understand what will be the impact of something so

if I'm using GitHub and GitHub loses one of their suppliers for three hours I'm impacted but like why I I never heard of

that company I don't understand why I'm impacted so it became way more complex because everything now works on apis and

interconnections and it's it's way more complex mesh to understand what the

impact might be if something happens anywhere in that mesh interesting is there anything that

you think cesos tend to overlook or maybe Miss I don't think

we Overlook anything I think what we definitely miss and I miss all the time

is um when things happen and I don't know about it so right now I'm working on on company

which is remote first which means that like the product owner and the head of engineering might now discussing

something totally revolutionary that will destroy everything and unless one of them PS me I will not hear about it

until they start writing code about it so I think it's an information issu SL

problem maybe it was marginally better when we were all in offices and you could have lunch with your colleagues

and and you know ask them hey what are you working on and uh but I do think that's the the part that I miss often

maybe not that often nowadays but I still miss like someone is deciding something they haven't asked security

for input and then we we go before some already made decision and then we need

to scramble to fix it interesting what do you think the field

the field is going to look like in a few years and what do you think the ca role will look like do you think it's going

to stay the same sort of undefined pretty open to anything term

ciso or do you think it's going to get more specific I I I I don't really have like

great visibility into this I I can tell you from personal experience it will depend a lot on how

much the The Regulators decide to act on this so for example in my current company we

regulated both by usn regulators and European Regulators now the the European

Regulators they do have regulations about security but they don't really call out any specifics related to what

the sees should be doing like uh Dora for example that's coming in they do have a lot of activities but certainly

they talk about like a competent person and and in these type of terms pretty

much what gdpr did with the role of the DPO just very high level very vague on

the other hand the US Regulators they do specify what they want the ceso to do they also want to

approve the ceso through some kind of an application process so for them it's a

bit more well structured in the sense that if you're a fintech and you're having a license in the US there is a framework that defines you

as a seizure or at least an expectation from the regulatory side of what you should be doing so I don't know if that

us mentality will prevail or the European one will prevail but uh I don't think the companies will come into an

agreement themselves and agree what their role is if it's not forc externally every company will tailor it

to what they believe is their need uh for that role and in terms of the

field like I don't know unless AI does something

magical and we get to a point where we can use it and being absolutely tailored

to our own business and not getting a generic answer I don't don't see a lot of change I see more need probably with

people with good technical understanding because we as I said we're getting more interconnected so maybe five years ago

you could just say I understand AWS and be good enough but now you need to know AWS and a bit of gcp and a bit of

something else and AWS is talking to GitHub and GitHub is talking to slack so

I I think the the bar for technical knowledge is probably going higher

Great Lost My Chain of Thought so what do you think is an important

piece of advice for someone who is looking to get into cyber security or is

looking or is you know just starting out but wanting to get to these higher levels of being SE so e

all right I would say as a first step kind of security has a lot of fields and

you need to figure out what you like and what you like you're going to be doing for a very long time so if you really

want to do technical stuff then maybe you can start as a pen tester and move from there if you like to do technical

stuff but also build things instead of destroying things maybe you can be like a Dev Dev secops engineer either

focusing on infrastructure or sorry on on development code developing code if

you like structure and standards and approach you can work as a security

manager like working with policies putting process in place whatever so

initially you won't be able to specialize in everything at the same time that's for sure so you probably need to pick something that you like and

you want to drill into it and then after you achieve some level of I don't know if I'm going to call it master or

familiarity with that domain you need to start expanding into the other domains and at least get some knowledge on

what's happening on that domain so if you're an excellent pen tester but you

can't write like two pages of text as as a document a policy guideline or even a

report then that's not going to be great if you are great at writing policies but

you have no understanding of how they technically apply to the organization probably you need to fix

that so find something you like build it good and then start expanding to the adjacent areas and you need to get to a

point where I think it's I squar that says it like this you need to be a mile

wide and an inch deep but you need to be more than an inch deep in certain areas because otherwise you're what's the

other expression um Jack of all trades master have known I

think nice so I have one final question before that thank you so much for your

time I feel like this has been very um what's the word like I learned a lot

that's great thank you yeah and also you call like you said cynical in the beginning and I can see like the The

View but I I feel like you have a very light approach to it like you do it

from a place of you understand the meaning and you understand why it's important but you don't take it let's

say too seriously which is I mean again it's what you can control right so if

you can control it sure put in the effort put in the time put in the not the the stress but the the the passion

behind it if you cannot control it yeah I don't know right okay so my final question is

you've been a seeo for more than a minute what do you like most about the job why do you stay so long so what I

like most about the job is that if done as it's in my mind you get exposure to

every single part of the company and I like learning I like um interacting with

people so being a s means that today I'm talking to developers and then uh my

next meeting will be with finance and then I have to meet some Auditors and then I'm talking to people operations and then I'm talking to my boss to give

him a summary of what's going on so I I do love that part because you you get to understand fully what the company is

doing and you can influence maybe not all the times it's very visible where you influence and

what's the result of that but at least you know that you tried your best either by implementing things or by

Consulting the company how to do things um and also I do like that it's

an never changing field so I still have the energy to keep learning to keep following up what's going on so I do

enjoy it I don't know that's going to be a thing in 10 years if I will still have the energy to follow with that amount of

passion but for now it's working and I find it enjoyable amazing thank you so much

you're welcome

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel